XenServer: Unknown Error Occurred Connecting with XenCenter

When connecting to XenServer 5.5 from XenCenter on up to date Windows devices, you get an Unknown Error. To fix this, we need to generate a stronger SSL certificate. The logs below show the errors and locations to verify that this is the issue.

I couldn’t find all of this information easily consolidated into once place and hopefully this will save someone time if they come across the same issues.

XenCenter Logs

Location: %appdata%\Citrix\XenCenter\logs\XenCenter.log

2017-10-17 13:05:08,154 DEBUG XenAdmin.Network.XenConnection [Connection to xxx.xxx.xxx.xxx] - XenConnection: trying to connect to
2017-10-17 13:05:08,661 DEBUG XenAdmin.Network.XenConnection [Connection to xxx.xxx.xxx.xxx] - The request was aborted: Could not create SSL/TLS secure channel.
2017-10-17 13:05:08,661 WARN  XenAdmin.Network.XenConnection [Connection to xxx.xxx.xxx.xxx] - XenConnection: failed to connect to The request was aborted: Could not create SSL/TLS secure channel.
2017-10-17 13:05:08,661 DEBUG XenAdmin.Actions.Action [Connection to xxx.xxx.xxx.xxx] - The request was aborted: Could not create SSL/TLS secure channel.

(Source: Citrix: XenCenter Event Log)

XenServer Logs

Location: /var/log/secure

Oct 17 13:06:29 xen-105519 stunnel: LOG5[15145:3085974416]: xapi connected from xxx.xxx.xxx.xxx:55170
Oct 17 13:06:29 xen-105519 stunnel: LOG3[15145:3085974416]: SSL_accept: Peer suddenly disconnected
Oct 17 13:06:29 xen-105519 stunnel: LOG5[15145:3085974416]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

(Source:Xencenter 6.5 and 7 “unknown error” while connecting to XenServer 5.6.0)

Fix :

Through SSH or Console Access do the following
Verify the key is 512

openssl x509 -in /etc/xensource/xapi-ssl.pem -text

Because the file that generates it is read only, create a copy in the temp directory.

cp /opt/xensource/libexec/generate_ssl_cert /tmp

Use vi to edit the new file.

vi /tmp/generate_ssl_cert

Update the following line to look like the one below it by pressing i to insert text.

openssl genrsa > privkey.rsa
openssl genrsa 1024 > privkey.rsa

Press escape followed by k, then type !wq to write changes to the file and quit without prompting.

Backup the existing cert.

cp /etc/xensource/xapi-ssl.pem /etc/xensource/xapi-ssl.pem.backup

Stop the xapissl service.

/etc/init.d/xapissl stop

Generate the new SSL cert.

/tmp/generate_ssl_cert /etc/xensource/xapi-ssl.pem ‘hostname -f’

Start the xapissl service.

/etc/init.d/xapissl start

(Source: WebbosWorld: XenCenter Could not create SSL/TLS Secure Channel)

Continue Reading

XenServer: Alternate Auto-Start VM Option

Create the boot script

Method 1: Auto-start all servers

vi /etc/rc.d/init.d/RunVMonBoot.sh
xe vm-list power-state=halted | grep uuid | cut -c 24- | xargs -I {Var} xe vm-start uuid={Var}

Method 2: Auto-start selected servers

vi /etc/rc.d/init.d/RunVMonBoot.sh
xe vm-start uuid=SERVERUUIDHERE 

Note: Repeat “xe vm-start uuid=” line as many times as needed.

Press Escape followed by K to stop editing.

Press : followed by wq! to save changes and quit editing.

Run the following command to add execute privileges to the script.

chmod +x /etc/init.d/RunVMonBoot.sh

Run to add execute privileges to the startup script.
chmod +x /etc/rc.d/rc.local

Run the following to edit the startup script.
vi /etc/rc.d/rc.local

Append these lines to the script. (Press I to allow inserting.)

Sleep 180

Press Escape followed by K to stop editing.

Press : followed by wq! to save changes and quit editing.

Continue Reading

PowerShell: Disabling and Moving Inactive Users

While this isn’t my cleanest work, it did the job fairly well.

Also, I assume you’ve already added the Active Directory module, I believe command below will add it.

import-module activedirectory

This script will go through an OU, searching it’s contained OU’s, find inactive users then disable and move them into their own ‘Disabled’ sub OU.

This comes in handy when you have a bunch of client sites that are organized and you want to maintain organization.

Foreach ($i in (Get-ADOrganizationalUnit -Filter * -SearchBase "OU=MyOU,DC=mydomain,DC=local" -SearchScope OneLevel | foreach { $_.DistinguishedName })){
    Echo "-------------------------------------------"
    Echo $i
    Echo "-------------------------------------------"
    ForEach ($xx in (Get-ADUser -SearchBase $i -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp)){
        Echo "Disabling User"
        Echo $xx.Name
        Disable-ADAccount -Identity $xx.ObjectGUID
        Echo "Moving User"
        $DisabledPart1 = "OU=Disabled,"
        $DisabledOU = $DisabledPart1+$i
        Move-ADObject -Identity $xx.ObjectGUID -TargetPath $DisabledOU
    Echo "-------------------------------------------"

Below is a script that creates the ‘Disabled’ OUs.

Foreach ($i in (Get-ADOrganizationalUnit -Filter * -SearchBase "OU=MyOU,DC=mydomain,DC=local" -SearchScope OneLevel | foreach { $_.DistinguishedName })){
 echo $i
 New-ADOrganizationalUnit -Name Disabled -Path $i -Description "Disabled Accounts" -PassThru


I combined everything into a PowerShell application as seen below and can be downloaded here.

Note: This application will only search through enabled accounts.

Continue Reading

Terminal Server Gateways and PCI Compliance

Before starting, every Windows 7/Server 2008 R2 OS will need to have a specific patch (KB3080079) to be able to use TLS 1.1+ to connect to the Gateway properly after following the directions below.

To begin, download the IISCrypto software from Nartac onto the gateway server.

Upon opening, accept the agreement if it appears.

Click on the Templates section.

Select “PCI 3.1” in the drop down.

Click Apply.

Reboot the server.

It’s possible that at this point you might encounter and inability to connect and you’ll get the following error in the event log.

A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

To fix this error, open the Control Panel, click Administrative Tools, and then open Local Security Policy.

In Local Security Settings, expand Local Policies, and then click Security Options.

Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

You may or may not need to run gpupdate /force

Continue Reading

XenServer Security: Clearing CIFS/SMB Passwords

XenServer stores the passwords to any CIFS/SMB share you are currently using or have used in the past even if the share was removed. (Tested this up to XenServer 7.)

Now, this can be a concern because these credentials might be to a domain account, domain administrator account, or have privileged access to a specific system. I wrote the following command to go through and clear all of the stored CIFS/SMB shares.

xe secret-list | grep uuid | cut -c 17- | xargs -I {Var} xe secret-destroy uuid={Var}

This query’s all existing passwords, removes the unnecessary text, and removes the saved passwords.


xe secret-list

Lists all passwords and UUIDs.

xe secret-list | grep uuid

Lists just the UUIDs of existing CIFS passwords

cut -c 17-

Removes the excess characters of the “xe secret-list | grep uuid” command.

xargs -I {Var}

Passes the results of the previous command to the next one with a set variable, in this case “{Var}”

xe secret-destroy uuid=

Removes the password from “xe secret-list”

Continue Reading

Remote DNS Configuration (Windows)

In the event that you need to update the DNS on a domain computer that you do not have physical access to and the users do not have local admin privileges, this might help.

You will need to start by downloading the PSTools suite from Microsoft onto a computer that has local network access or over a VPN.

From there you will need to extract the PSExec.exe application and open an administrative command prompt (Domain Administrator credentials) in that folder.

  • Next you will need to run the PSExec application as seen below.
    psexec \\COMPUTERNAME cmd.exe
  • COMPUTERNAME should be replaced with the name of the computer you want to connect to. 
  • If this is your first time running the application you will likely need to accept the license.

If done properly this will launch a command prompt on the computer you need. If not, it will tell you that it failed.

The next steps are to get the name of the interface you want to change and then update DNS.

  • netsh interface show interface
    • This will get the names of your network adapters, in this case “Local Area Connection”
  • netsh interface ipv4 add dnsserver “Local Area Connection” address=192.168.x.x index=1
    netsh interface ipv4 add dnsserver “Local Area Connection” address=192.168.x.x index=2

The user at the computer should be able to access the internet again after this has been successfully completed.



Continue Reading

Cisco 871 Router: Quickly Change the ISP

Putty into the 871 Router

Run the command “Show Run” to start scrolling through and get the outside IP Interface, IP Address and Subnet Mask.

interface FastEthernet4
ip address %CurrentIPAddress% %CurrentIPSubnet%

Scroll further and get the IP Route (Gateway Address)

ip route %CurrentGatewayIP%

Prpare a short script to remove the old ISP settings and add the new ISP settings.
Start with the Gateway (IP ROUTE).
Example below between the hypens.e

no ip route %CurrentGatewayIP%
ip route %NewGatewayIP%

interface FastEthernet4
no ip address %CurrentIPAddress%  %CurrentIPSubnet%
ip address %NewIPAddress% %NewIpAddressSubnet%
Run the command “Conf T

Copy and paste entire script into Putty.

Once internet is verified up and running, “Exit” out of Config mode.

Run the command “Write Mem

Continue Reading

XenServer: Rogue/Missing/Invisible Virtual Machine

Yesterday, I had the pleasure of finding out that there was an invisible/missing/rogue VM on one of the servers in our pool.

We had a “dead-beef” issue a few weeks prior and had attempted to migrate our VMs off to other members of the pool before rebooting the member. With that attempt, it caused all of the VMs to go into a paused state from which a forced shutdown was required. We rebooted the server at that point because it was the only way we could get the “dead-beef” issue recovered.

After the pool member reboot, the VMs would not start, so we cloned them and booted them up. Everything seemed fine in the next few weeks, until I decided to delete the originals as the replacements appeared to be functioning fine.

One of those servers had apparently been running in the background even though XenServer showed it as off.

We could ping it, see a MAC address for it that didn’t match the server it should have been, etc. Though, it didn’t show up in any VM list, be it from the XenCenter console, or through the “xe vm-list” command.

Later, we discovered that there was an extra domain (command: list_domains) on one of the servers. It’s possible that it could have been fixed by destroying that domain, but we ended up rebooting the entire pool. I started with that pool member after shutting down / migrating the existing VMs and placing it into Maintenance Mode.

The rogue server stopped responding pretty much immediately at this point and when it came back up it was no longer an issue.

TL;DR – Apparently, sometimes a server can be running in XenServer with nearly no record of it’s existence after being deleted in a “powered off” state.

Continue Reading

Helping Out

I’ve spent a lot of time scouring the internet for solutions in my life. Sometimes I needed to piece multiple things together from multiple sources to get a decent fix. I have been documenting these things but I haven’t had a place to share them and I feel like other people could benefit from some simplified resources.

It’s my turn to give something back to the community that has helped me develop my career.

Continue Reading